Security and User Experience: Pushing for Change in the Enterprise Environment

designers were community projects and agile they have to start pulling the development right off the bat so rather than going sitting up in the corner designing out some solution and then handing out these different developer so you can build it instead of how to suit the developer on they want to kind of walk with - why am I talking about this well because there's a missing party here especially today if you want to make things secure from the beginning and that's all security from the beginning there's a lot of our solutions especially if you're an international company that there's a whole amount of security concerns that you need to start taking consideration when you're first

so your initial slide that includes even to some with sketching thinking through the features that you're going to have the users going to use all this stuff is impacted by security global privacy and so on and so we better really kind of train ourselves and ask a professional prepare yourselves to start being pulled into these development conversations a lot sooner in the process of you probably are say how many people feel like they are part of those design conversations on do you wanna see two hands dragons a lot of farms a lot of times we do have that scenario where security school that kind of last minute says hey sign off on the site go solid

so it's really good presentation out there Jared school comes out finally funded plan so hard look with service here how many does have regular office interaction designers and any given moment like you can call your own actions I know right now it's a hey come help I see one another yours so a lot of the reality is that a lot of us having to make these design decisions without the input of designer and similarly designers are making securities issues without input from security and so we need to start figuring out how can we build a bridge pertaining to system and to do that we're going to need a common language let's throw out a couple terms

so these are going to be super obvious so like risk of Ti Fergus mentioned several times here why am i defining risk we do well when you a lot of people haven't realized that I didn't say presentation for interaction designers none of them had ever thought about applied risk to their design work none other than thought through when they were designing a workflow so you have a roll call the interaction better this whole job is to look at a designing process beginning to end and all the different actions have happened between that they don't think about they flippers they're thinking about how can an interesting easy how can I make this as painless as possible and so they need

that help and so they understand rows so I've been going around trying to help give some various definitions for it because I know what it is but the matters are making a series of design decisions around concepts of risk and they're introducing risk without even feeling and I want to transition talk about security questions for who they I thought it would be fun especially in a room full of people at you guys pull security muscles for my own personal making out so I figured why not so these are all questions I'm sure we can probably a super tiny size but on a kind of completely focus on some of the security questions that most any

designer developers that now three together put out there on the case without really consider like the impacts of this right and so quickly they start picking apart how beauty reclassified to our spirit of Solon for example this elusive impaired each other you look at my facebook profile and see on this case a vehicle connector endlessly to see that want to see professor Presley so they don't spray-z there's like no hacking involved but Facebook search I need to find a better example for this one because so the years of attackers so I'm sad is essentially Foursquare for beer so you can check into all these craft beers and by throwing this out of there I'm admitting my fondness for

drinking beer and having 1600 is probably not my brush to be racking about ontology photo just ignore that for now so up here close to 0 here is on my on taps public profile you can actually go this right now go to tack on flash Jesus items by panel and you can go through and look and see what my top rated restaurant the found within their 25 times the next is define well this is really I like to go to and then of course the last one is in let's do Cheers so what's their handle which is this really tiny very far and get the W color read it's a cheetah sizes fall of 81 so

as you can see here I live in Kansas City belittled again my public Instagram profile of my girlfriend saying to find us some some pictures for super cute look at us her name is Katie and so you these are design decisions that happened on a major bank one of the work like one of the u.s. largest maintains as that's how they're protecting their their constant is good emotions when there's more and then of course obviously getting to the security question it's not too good email just obsessed but still the identity identity gap and there's rules around security questions with hard to get some easier number doesn't change over time but I mean the kind of show that socially kind of

Pumped anymore especially I think though that NIFT guidelines now are kind of pushing people away from security questions the whole ski couple has not Isan I don't not making a lot especially by now if you look at physical that's completely managed security questions but that's that's a whole lot of points of failure that you know whoever was designing this you either was building that page was too so I'm about multi-factor authentication folder and there are design considerations around multi-factor authentication the a lot of people probably aren't aware so that everybody here goes with a multi-factor authentication and thing email thing you have a you are see they say so there's what they factor usability to and it's

been a really good white paper that was put out there that talked about the usability and the business impacting some of the different forms of multi-factor authentication so for example one piece took not picking on RSA to be anybody but essentially what these are promises purposes which should be a pretty useful thing it just gives you a number you type it in you can become but what we found is when they're doing this usability study is that productivity from associates that were implemented these would drop dramatically at home people will be teasing against they would take care of them like they should they work hangman all time and so they were in a role that

they would work in the office and it worked home all of a sudden their impact on their productivity at home had dropped by student a percentage because they weren't because again these ability considerations around carrying around open so the things to kind of keep in mind SMS there's all kind of problems that's amount we're not going to get into technical ominous math or some a usable problems has now one of the things they found when they are talking about SMS when it came to like online shopping is that okay so we're to send an SMS codes before they log in so they can make a purchase online the problem they hit is that sometimes those delays be like

tendons which possess MS looking to kind of come through and use that want to spend five dollars would lose patience and they said you know what by this wages so there's no longer the bicycles and if a lot of sales because of the usability assassination and then there's cartographer there built into your laptop another form this one is hollow management today in that we're entering this kind of bring your own device mentality with a lot of operations where they're trying to push people but I'm going fish people that give people more options so I'm working on my laptop so that I can work on running around whatever clients on I that I haven't thought of the work on

that and all of a sudden beeping I'm just made a sign there if you want to manage all these different so things are trying to eat people people panicking he is also provide so again is it where we're going right now with the core software bit solution where that instead of doing us a mess now we just send you visually a color codes your phone but then we have to make assumptions of people have phones there's all of these kind of made of great decisions for all just some folks at home factor and so you need to think about your environment and if you want to push out a multi-factor authentication solution what potential impacts the business

could that have because of these ability rounded the other thing I try to do when I talk to interaction designers I try to teach them between authentication and occasions cover the act of walking mobility it has a lot let's read that is completely seven things from authentication for authorization a lot of people send to conflate the two where they take on that an authentication and authorization are the exact same things so when you're working with these people that are building these forms and they want to like get all these privileges they need to realize that we treat these as two separate actions rather than having them all being combined and as an example but physically I think ever here knows about

relations so next time I switch to globalization of privacy this is the big one that we've been kind of fighting with that my company especially over the last couple years as you move more into the global market to start looking at ways that we can figuring out what features when you start getting off depending on what territory that we're in so I'll give you an example as you can see there's all kinds different rules that's depending on where you're at each one these countries will have their own lists of data privacy rules so I'll give you examples who here knows about you cooking off I saw one person okay one city in the do you think about

putting a lot especially say that it's you're going to place a cookie on a on a end-users device that you need to be able to tell it what that is what kind of data you're storing and be transparent about what purposes so that they can make educated decisions but are not going to allow you to put it on their lap time another one is so session important I'm going to get into all started off ham later but so likens obsession recording here in Germany for example you need to ask their permission before you can actually record their sessions actually quickly against Allah to record them without their consent when they're at their job there's all kinds of rules

when I start simply start which you have some of these solutions is a little bit territories one would be memorable we first started moving into Germany because it's a really big office there one of the things that we kind of learned frequently is like sharing personal information of a German associate is a pretty hot topic you need to be able to ask better against what commercials so in exchange you're not student to show you a little picture the person who sent you an email they work in sympathy as you do way to turn all that offer who the intern because we respect their friends and then what kinds of resources out there to tell you

about sort of different rules so the different territories this one I've used by force and try and get a quick temperature of okay we're sitting above the solution in this territory what the privacy will look like what are the security concerns there's encryption bargaining so two-story athletes CAIM pH I need to know what all those different roles are there gathering requirement and again to the pelvic of the where those situations where designers can security have meat because need to have your security requirements I need to build this as well before you mean pushing [Music] so I'm going to talk a lot about security stuff which you guys so we need to start putting on stuff together when

you start bridging that gap so if we want to start working more with these people look at other disciplines how do we do that how do we build that bridge first is share your process a lot of times people have incredibly insightful reasons for wanting a team to do a specific so for example let's say us all design a shouldn't have some created questions as their method to recover your account right and so you and they'll say well how come and so give them the answer and you share the process with which you used to get there similarly if the nurses are for confusing saying hey I need to make a form here and I need to hide this name and I can't

use the color red for their name and us why and I'll say well because of China have been means totally different thing indicators and diversity of the US written no longer means hey it's bad it's actually good luck over there so sharing a process helps build that level trust between the very understandable indications of the other disciplines also interaction so one of these it helps me quite a bit in this regard is a good example so there is a thing called responsive web design to get up on my extension here in which you can build a page once and it works on all kinds of different screen sizes and I was shuffling around all the

different things to be playing with different words and my developers think hey you can't do that every time you see that if these a bunch of jobs were trying to organize the Kreitman and get it to plus though II wanted study should is natural web conditions to get them stay in properly and as an element okay well I didn't realize that and so it gave me the ability to from that ah make smarter decisions in the world of security I'm the gifticon so start recording again I bought one for sort of pushing out some of these solutions that will do special reporting that was totally okay to like to force associated so it was then when I got

educated from a security he was a compliance officer that had to ask the permission that it gave me the education again and also that going forward I didn't have to keep asking and don't understand and then Billy Loes relationship and this is this is proud of those basic one of the one of most important ones and this is something as simple as just going and say now intervening Washington people so when you see this development team that you've never really good chance to work with go down and sit down and watch about how do we get most coveted to join you know build a rapport that when you have times when you have to have those hard conversations need to

push back on each other you have that niche-y understanding and mutual I'm going to talk about a successor with a little bit feather in there so and we rolled out hamsters and sub-regional pandas so and is privileged access management it's essentially a way to gain access to certain resources so it could be maybe a back-end node and then if that person wants to go and access that resource they have to go through your pan solution to be like imagine like a portal or it could be a server the UN sensation to that then puts you in another server all kind of different flavors of town and the very first time that we try to stand up handle to the if

you build it they will come approach me says hey we're going to stand this thing up and people just have to use it because you know we work here for security to say yes good but what we found is that pushing something like business and profit really large corporation took a Herculean amount of strength that quite frankly he didn't have the club to do and so we have really really little adoption and it's available for Matins but we didn't because we're making a tough market and like okay well let's let's take a step back its first push up and to not go over very long so let's reappropriation concepts that we have so I say okay I'll run this the first thing

I observed my users which doesn't mean going talking to you like instead of like our most organizations thanks hey how many people what kind of they work what did you access it was sitting down on washing them do their work understanding the different workflows that they have and sometimes it was really painful like a lot of our people have to be work at 2:00 a.m. because the time the systems were the least busy and I was like you know what I will get up at 2 a.m. and sit there I'm going to watch to your core Association look at a screen share from home but I learned a whole lot I learned that I think ton of assumptions and the first

push of hand that we're composing correct I learned that late for example I just didn't every time somebody whatever engineers wanted to go along its windows they go on their log I'm going to do their work and then they log off what I found is actually it's way more complicated that they bill log into known and then they go log into so there was one quick session because they only had an hour to get a whole lot of work done if they went over this hour then all the suddenly erupted for penalties from our clients because it didn't get our work done fast enough so there was a time constraint and there was a lot of

rapid hopping a path and gave me a whole lot of their ability to work without political idiocy that's just crafting personas so personas is typically a thing that a lot of interactions understood if you don't have access to an interaction where it's still a valuable exercise to go through and create these and what these are are they're essentially like make-believe people that do you get from interviewing all the different users at your company so we'll go through and we'll interview all of our system engineers and I'll make system engineer Bob and I'll say he works this time he's these tools he logs at this time envelope come back later and then I'm going to keep that document prohibit

conflict reference point so that's have to do more products I can say let the system engineer and doing today oh yeah that's right we have our persona to be built engineer Bob that we can constantly build referable there's a really good book called the inmates running the asylum by Alan Cooper so he used to work at Microsoft he was like the father of B be back in there and episodes as its own business doing like fashion design consulting work but he was one that really first kind of pilot about the use of personas as a way to better understand your end users and then the third one was integrated series of workflows so I'm going to use for

Columbia has a different approach that the people if they will come technique w first time use pen MN going into figure X we understood those workflows and surround how we can insert our fooled into their existing or close and cause the least amount of disruption one of the things that happens is at any time giving any kind of changes to a person's workflow that increases complexity it needs advanced or we learn something new they have to go change the video to do things what they're doing today and it's possible to figure out the best place to minimally disruptive whatever the current workflow is which smoking as an attempt so what we decided for ourselves was we chose a solution that was really

my best page command line tool friendly so it's going to say hey every has to go to this portal buildings instead of tool you can use your all your stance they sold these wrote yes whatever keep using a piece got changed string and then loved it they loved it because the stock apples without passwords they hold it because they've one of those recordings because they go back and see hey I mean a mistake would a good view and they can go in to check it and it was the first time that then are the executive over Rho organization once you go talk to cabinet about security probably really pushed out which be the tamarillo that he said hey

normally when we do a new security project it's painful people might get Mason or mountains but in this case but I'm happy my associates are happy they want ease they were begging us to rolled out faster one of these in warm it was because of these we had quality through both we figured something not figured out the way to upend that we're going to disrupt their process it would make the job easier because looking up and to give them more data reference later on and I'm going to kind of close out with close tie backs to the octave example the paranoids the internal and free office security team often clash with other parts business over security costs

and I want to build out the concept of pushing empathy so when your designers are out there one of the big thing that they track copepods having empathy for their end users so that they can try and make things as easy for them as they possibly can but what they put there really needs to be more of is empathy for your coworkers empathy for developers and for your secured expression and understanding that you know a lot of these concerns that we're feeling they're going to I know every single one of my security teams feels like if they have more man-hours they have a money say large budget they can accomplish so much more and I really see

that they work with skilled exact same students and so it's important that as we kind of work together that we maintain that level of empathy so that we can maintain a little desert bridging the gap between the two disciplines we can be more successful with our promises oh yeah that's right I brought up you know my daddy's name you lie down [Music]